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Introduction 


The Information Commissioner’s Audit Committee (the Committee) 
provides scrutiny, oversight and assurance of risk control and governance 
procedures. Minutes of its meetings are available on the ICO’s website at 
www.ico.org.uk. 


Membership and attendance 


The Committee’s chair is Ailsa Beaton, who is a non-executive director 
and member of the Management Board. 


There are two other members of the Audit Committee: Jane McCall, who 
is a non-executive director and member of the Management Board; and 
Roger Barlow, who is an independent member. 


In 2019-20, the Committee met on 20 June 2019, 28 October 2019, 20 
January 2020, 20 April 2020, 22 June 2020 and 6 July 2020. This report 
was agreed at the Committee’s meeting on 6 July 2020. Attendance of 
members at Committee meetings is detailed in the ICO’s Annual Report 
and Accounts 2019-20. The Information Commissioner, Elizabeth Denham 
attended all meetings apart from 22 June 2020 and 6 July 2020. 


The ICO’s external audit function in 2019-20 was provided by the National 
Audit Office, with BDO working on their behalf. The ICO’s internal audit 
function in 2019-20 was provided by Mazars. Representatives of external 
audit and internal audit attended all of the meetings, either in person or 
by telephone. 


secretariat for the meetings was provided by the Corporate Governance 
Team. 


Meetings during 2019-20 


The Committee considers the following issues as standing items at all of 
its meetings: 


e an update on current ICO issues from the Deputy Chief Executive 
Officer; 

e areview of the corporate risk register; 

e the most recent monthly finance report; 

e progress reports from the internal and external auditors; 

e discussion of audit reports and performance in clearing outstanding 
internal and external audit recommendations; 


e reports on any single-tender contract awards over £25k; and 
e updates on whether there have been any reported whistleblowing, 
fraud or security incidents, and details of these where appropriate. 


In addition, during the year the Committee considered the following 
matters: 


e the Annual Report & Accounts for 2018-19 and for 2019-20; 

e an annual review of the full risk register; 

e a deep dive into the risks relating to the ICO’s compliance culture; 

e the ICO’s risk management policy and risk appetite statement; 

e proposals and updates in relation to funding; 

e business continuity preparations; 

e the ICO’s response to the Covid-19 outbreak; 

e the ICO’s service excellence work; 

e cyber-security standards; 

e the ICO’s procurement policy; and 

e the National Audit Office’s six-monthly guidance updates to audit 
committees. 


Internal and external audit 


During the year, the Committee reviewed the audit plan and progress 
against it on a continual basis. The Committee considered internal audit 
reviews of: 


e Risk management; 

e Core financial controls; 

e Research grant payments; 

e Programme and project management; 

e Corporate governance; 

e Third party service provider (IT); 

e Payroll; and 

e Freedom of information — complaints and appeals. 


In these audits, Mazars made 39 formal audit recommendations, of which 
28 have been completed. 11 recommendations are not yet due for 
completion. 


Mazars’ Annual Internal Audit Report 2019-20 concluded that “on the 
basis of our audit work, Our opinion on the framework of governance, risk 
management, and control is Moderate in its overall adequacy and 
effectiveness. Certain weaknesses and exceptions were highlighted by our 
audit work, however none were considered fundamental. These matters 
have been discussed with management, to whom we have made a 
number of recommendations. All of these have been, or are in the process 


of being addressed, as detailed in our individual reports.” (“Moderate” is 
defined by Mazars as “Some improvements are required to enhance the 
adequacy and effectiveness of the framework of governance, risk 
management and control.”) 


The National Audit Office Audit Completion Report 2019-20 concluded that 
we anticipate recommending to the Comptroller and Auditor General 
(C&AG) that he should certify the 2019-20 financial statements with an 
unqualified audit opinion, without modification in respect of both 
regularity and the true and fair view on the financial statements. 


Audit Committee opinion 


Given the opinion of the internal auditors and external auditors as 
expressed in their annual reports, and the other information available to it 
from its work during the year, the Audit Committee can therefore provide 
the Commissioner, as Accounting Officer, with reasonable assurance that 
the ICO’s control mechanisms are working satisfactorily. 


The Committee is satisfied with the quality of internal and external audit. 
The Committee believes that, by virtue of this work, it is able to take a 
measured and diligent view of the quality of financial and other systems 
of reporting and control within the ICO. The Committee welcomed the 
ratings of substantial assurance in the audits for Third Party Service 
Provider, Freedom of Information Complaints and Appeals, and Payroll. 
The Committee is satisfied that the ICO has appropriate systems of 
internal control, which work well. 


In respect of its own performance the Committee considers that it has 
directed the internal audit function towards areas relevant to the risks 
facing the ICO. It has constructively challenged management and the 
internal audit function. It has received a high level of cooperation and 
Support from all concerned. Responses to audit recommendations from 
management are positive and the Committee is satisfied that 
management within the ICO is committed to maintaining an appropriate 
level of internal control and prudent use of resources. 


This opinion feeds into the Commissioner’s drafting of the Governance 
Statement for 2019-20, which was considered by the Audit Committee at 
its April 2020, June 2020 and July 2020 meetings. 


6 July 2020. 


